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Abstract 

The  propositional  /i-calculus  is  a  powerful  language  for  expressing  properties  of  transition 
systems  by  using  least  and  greatest  hxpoint  operators.  Recently,  the  /i-calculus  has  gener¬ 
ated  much  interest  among  researchers  in  computer-aided  verihcation.  This  interest  stems 
from  the  fact  that  many  temporal  and  program  logics  can  be  encoded  into  the  /i-calculus. 
In  addition,  important  relations  between  transition  systems,  such  as  weak  and  strong  bisim¬ 
ulation  equivalence,  also  have  hxpoint  characterizations.  Wide-spread  use  of  binary  decision 
diagrams  has  made  hxpoint  based  algorithms  even  more  important,  since  methods  that 
require  the  manipulation  of  individual  states  do  not  take  advantage  of  this  representation. 
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1  Introduction 


The  propositional  /i-calculus  is  a  powerful  language  for  expressing  properties  of  transition 
systems  by  using  least  and  greatest  fixpoint  operators.  Recently,  the  /i-calculus  has  gener¬ 
ated  much  interest  among  researchers  in  computer-aided  verihcation.  This  interest  stems 
from  the  fact  that  many  temporal  and  program  logics  can  be  encoded  into  the  /i-calculus. 
In  addition,  important  relations  between  transition  systems,  such  as  weak  and  strong  bisim¬ 
ulation  equivalence,  also  have  hxpoint  characterizations  [17]. 

Another  source  of  interest  in  the  /i-calculus  comes  from  the  existence  of  efficient  model 
checking  algorithms  for  this  formalism.  As  a  consequence,  verihcation  procedures  for  many 
temporal  and  modal  logics  can  be  succinctly  described  by  translating  into  the  /i-calculus. 
Wide-spread  use  of  binary  decision  diagrams  has  made  hxpoint  based  algorithms  even  more 
important,  since  methods  that  require  the  manipulation  of  individual  states  do  not  take 
advantage  of  this  representation. 

Several  versions  of  the  propositional  /i-calculus  have  been  described  in  the  literature,  and 
the  ideas  in  this  paper  will  work  with  any  of  them.  For  the  sake  of  concreteness,  we  will  use 
the  propositional  /i-calculus  of  Kozen  [12].  Closed  formulas  in  this  logic  evaluate  to  sets  of 
states.  A  considerable  amount  of  research  has  focused  on  hnding  techniques  for  evaluating 
such  formulas  efficiently,  and  many  algorithms  have  been  proposed  for  this  purpose.  These 
algorithms  generally  fall  into  two  categories,  local  and  global. 

Local  procedures  are  designed  for  proving  that  a  specihc  state  of  the  transition  system 
satishes  the  given  formula.  Because  of  this,  it  is  not  always  necessary  to  examine  all  the 
states  in  the  transition  system.  However,  the  worst-case  complexity  of  these  approaches  is 
generally  larger  than  the  complexity  of  the  global  methods.  Tableau-based  local  approaches 
have  been  developed  by  Cleaveland  [8],  Stirling  and  Walker  [19],  and  Winskel  [21].  More 
recently,  Andersen  [1]  and  Larsen  [13]  have  developed  efficient  local  methods  for  a  subset  of 
the  /i-calculus.  Mader  [15]  has  also  proposed  improvements  to  the  tableau-based  method  of 
Stirling  and  Walker  that  seem  to  increase  its  efficiency. 

In  this  paper,  we  restrict  ourselves  to  global  model  checking  procedures.  Global  pro¬ 
cedures  generally  work  bottom-up  through  the  formula,  evaluating  each  subformula  based 
on  the  values  of  its  subformulas.  Iteration  is  used  to  compute  the  hxpoints.  Because  of 
hxpoint  nesting,  a  naive  global  algorithm  may  require  about  0{n^)  iterations  to  evaluate 
a  formula,  where  n  is  the  number  of  states  in  the  transition  system  and  k  is  the  depth  of 
nesting  of  the  hxpoints.  Emerson  and  Lei  [11]  improve  on  this  by  observing  that  successively 
nested  hxpoints  of  the  same  type  do  not  increase  the  complexity  of  the  computation.  They 
formalize  this  observation  using  the  notion  of  alternation  depth  and  give  an  algorithm  re¬ 
quiring  only  about  0{n'^)  iterations,  where  d  is  the  alternation  depth.  In  an  implementation, 
bookkeeping  and  set  manipulations  may  add  another  factor  of  n  or  so  to  the  time  required. 
Subsequent  work  by  Cleaveland,  Klein,  Stehen,  and  Andersen  [1,  9,  10]  has  reduced  this 
extra  complexity,  but  the  overall  number  of  iterations  has  remained  about  0{n'^).  In  [14] 
the  authors  have  improved  on  this  by  giving  an  algorithm  that  uses  only  0{n^^'^)  iterations 
to  compute  a  formula  with  alternation  depth  d,  thus  requiring  only  about  the  square  root 
of  the  time  needed  by  earlier  algorithms. 

This  paper  describes  the  propositional  /i-calculus  and  general  algorithms  for  evaluat- 
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ing  /i-calculus  formulas.  Examples  of  verification  problems  that  can  be  encoded  within  the 
language  of  the  /i-calculus  are  also  provided.  The  remainder  of  this  paper  is  organized  as 
follows.  A  formal  syntax  and  semantics  for  the  propositional  /i-calculus  is  given  in  Sec¬ 
tion  2.  Section  3  discusses  different  algorithms  for  evaluation  of  /i-calculus  formulas  and 
their  complexities.  A  brief  description  of  Ordered  Binary  Decision  Diagrams  (OBDDs)  is 
given  in  Section  4.  Section  5  presents  the  algorithm  for  encoding  /i-calculus  formulas  with 
OBDDs.  The  syntax  and  semantics  for  CTL  and  for  CTL  with  fairness  constraints  is  given 
in  Section  6,  while  a  translation  of  these  logics  into  the  /i-calculus  is  given  in  Section  7.  Def¬ 
initions  for  different  kinds  of  simulation  preorders  and  bisimulation  equivalences  are  given 
in  Section  8  along  with  encodings  for  these  relations  in  the  /i-calculus.  Finally,  Section  9 
concludes  the  paper  and  discusses  some  open  problems. 

2  The  Propositional  /tt-Calculus 

In  the  propositional  /i-calculus,  formulas  are  constructed  as  follows: 

•  atomic  propositions  AP  =  {p,pi,p2,  •  •  •} 

•  relational  variables  VAR  =  {i?,  i?i,  i?2,  •  •  •} 

•  logical  connectives  -■•,  •  A  •  and  •  V  • 

•  modal  operators  (a)-  and  [a]-  ,  where  a  is  an  action  in  the  set  Act  =  {a,  6,  ai,  02, .  .  .} 

•  hxpoint  operators  ■  •)  and  i'Ri.[-  ■  •).  Relational  variables  bound  by  the  hxpoint 

operators  must  be  in  the  scope  of  the  even  number  of  negations. 

There  is  a  stardand  notion  of  free  and  bound  variables  (by  hxpoint  operators)  in  the  formu¬ 
las.  Closed  formulas  are  the  formulas  without  free  variables.  Formulas  in  this  calculus  are 
interpreted  relative  to  a  transition  system  M  =  (T,  T,  T)  that  consists  of: 

•  a  nonempty  set  of  states  T 

•  a  mapping  L  :  AP  — >  2~^  that  takes  each  atomic  proposition  to  some  subset  of  T  (the 
states  where  the  proposition  is  true) 

•  a  mapping  T  :  Act  — >  2"'"^''"  that  takes  each  action  to  a  binary  relation  over  T  (the 
state  changes  that  can  result  from  making  an  action) 

The  intuitive  meaning  of  the  formula  {a)(f)  is  “it  is  possible  to  make  an  a-action  and  transition 
to  a  state  where  (/>  holds”.  [•]  is  the  dual  of  (•);  for  [a](/),  the  intended  meaning  is  that  “(/> 
holds  in  all  states  reachable  (in  one  step)  by  making  an  a-action.”  The  ji  and  u  operators  are 
used  to  express  least  and  greatest  hxpoints,  respectively.  To  emphasize  the  duality  between 
least  and  greatest  hxpoints,  we  write  the  empty  set  of  states  as  T.  Also,  in  the  rest  of  this 
paper,  we  will  use  the  more  intuitive  notation  s  A  s'  to  mean  (s,  s')  G  T{a). 

Formally,  a  formula  (/>  is  interpreted  as  a  set  of  states  in  which  (/>  is  true.  We  write 
such  set  of  states  as  e,  where  M  is  a  transition  system  and  e  :  VAR  — >  2A  is  an 

environment.  We  denote  by  e  [i?  ^  S']  a  new  environment  which  is  the  same  as  e  except 
that  e[R  S]  (R)  =  S.  The  set  e  is  dehned  recursively  as  follows. 
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•  Mm^  =  Hp) 

•  =  e{R) 


•  =  T  - 

•  [</'A  V’Im^  =  IV’lMfi 

•  [</>  V  V’Im  e  =  [</>1m  e  U  IV’Im  e 

•  [(«)</'lMe  =  {5  I  3t[s  A  t  and  t  G  [</>]jv^e]} 
j[a]  e  =  {  s  I  Vt  [s  A  t  implies  t  em^e]} 

•  I/X-RAIm  ®  least  fixpoint  of  the  predicate  transformer  r:  2~^  — >  2~^  defined  by: 

^(*5')  =  ^  S] 

•  The  interpretation  of  uR.cj)  is  similar,  except  that  we  take  the  greatest  hxpoint. 

Within  formulas,  the  negation  is  restricted  in  use,  and  so  the  hxpoints  are  guaranteed 
to  be  well-dehned.  Formally,  every  logical  connective  except  negation  is  monotonic  ((/>  — >  A 
implies  tAV?/’,  {a)(f)^  [a)(f)\  and  [a](/)— >  [a]  A)?  all  the  negations  can 

be  pushed  down  to  the  atomic  propositions  using  De  Morgan’s  laws  and  dualities  {-^[a\(f)  = 
{a)^(f),  ~^{a)(f)  =  ^fiR.(j){R)  =  uR.^(j)[^R)^  ^uR.(j)[R)  =  fj,R.^(j)[^R)).  Since  bound 

variables  are  under  even  number  of  negations,  they  will  be  negation  free  after  this  process. 
Thus,  each  possible  formula  in  a  hxpoint  operator  is  monotonic  and  hence  each  possible  r 
is  also  monotonic  (S'  C  S'  implies  r(S')  C  r(A)).  This  is  enough  to  ensure  the  existence  of 
the  hxpoints  [20].  Furthermore,  since  we  will  be  evaluating  formulas  over  hnite  transition 
systems,  monotonicity  of  r  implies  that  r  is  also  U-continuous  and  n-continuous,  and  hence 
the  least  and  greatest  hxpoints  can  be  computed  by  iterative  evaluation: 

lfiR.(j)jMe  =  \jR{L)  luR.(j)j^e  =  f]R{T). 

i  i 

{R{S)  can  be  dehned  recursively  as  t°(S')  =  S  and  r®“’“^(S')  =  r(r®(S')))  Since  the  domain 
T  is  hnite,  the  iteration  must  stop  after  a  hnite  number  of  steps.  More  precisely,  for  some 
*  A  |T|,  the  hxpoint  is  equal  to  t®(T)  (for  a  least  hxpoint)  or  t®(T)  (for  a  greatest  hxpoint). 
To  hud  the  hxpoint,  we  repeatedly  apply  r  starting  from  T  or  from  T  until  the  result  does 
not  change. 

The  alternation  depth  of  a  formula  is  intuitively  equal  to  the  number  of  alternations  in  the 
nesting  of  least  and  greatest  hxpoints,  when  all  negations  are  applied  only  to  propositions. 
There  are  other  more  elaborate  dehnitions  of  alternation  depth  [1,  2,  9],  that  take  into 
account  the  possibility  that  nested  hxpoints  may  still  be  independent.  Such  hxpoints  do  not 
depend  on  the  value  of  approximations  to  outer  hxpoints.  Consequently,  they  only  need  to 
be  evaluated  once.  This  type  of  nesting  does  not  increase  the  ehective  alternation  depth. 
However,  to  simplify  our  presentation  we  will  use  the  dehnition  of  alternation  depth  given 
by  Fmerson  and  Lei  [11].  Formally,  the  alternation  depth  is  dehned  as  follows: 
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Definition  2.1 


•  The  alternation  depth  of  an  atomic  proposition  or  a  relational  variable  is  0; 

•  The  alternation  depth  for  formulas  like  (f)  f\  if),  (/>  V  ?/’,  etc.,  is  the  maximum 

alternation  depth  of  the  subformulas  (/>  and  if). 

•  The  alternation  depth  of  jiR.cf)  is  the  maximum  of:  one,  the  alternation  depth  of  (/>, 
and  one  plus  the  alternation  depth  of  any  top-level  i/-subformulas  of  (f).  A  top-level 
i/-subformula  of  (/>  is  a  subformula  uR' .'tp  of  <p  that  is  not  contained  within  any  other 
hxpoint  subformula  of  (p.  The  alternation  depth  of  uR.cp  is  similarly  dehned. 

Example  2.1  Consider  the  following  formula  which  will  be  discussed  in  Section  7. 

uY.iP  A  (a)  [iiX.{P  A  {a)X)  V  (A  A  F)]) 

This  formula  expresses  the  property  “P  holds  continuously  along  some  fair  a-path”  and  has 
an  alternation  depth  of  two. 

Because  of  the  duality, 

,  P,  •  •  •)  =  -'/iP. -■</)(•••, -iP,  ••  •) 

we  could  have  dehned  the  propositional  /i-calculus  with  just  the  least  hxpoint  operator  and 
negation.  In  order  to  give  a  succinct  description  of  certain  constructions  we  sometimes  use 
the  dual  formulation.  However,  the  concept  of  alternation  depth  is  easier  to  dehne  using  the 
formulation  given  earlier. 

3  Evaluating  Fixpoint  Formulas 

We  dehne  model  checking  as  a  technique  of  verifying  a  model  relative  to  its  specihcation 
in  the  /i-calculus.  This  is  the  same  as  evaluating  a  formula  in  a  model,  i.e.,  hnding  the  set  of 
states  of  the  model  where  the  formula  is  true.  Figure  1  presents  the  naive,  straightforward, 
recursive  algorithm  for  evaluating  /i-calculus  formulas.  The  time  complexity  of  the  algorithm 
in  Figure  1  is  exponential  in  the  length  of  the  formula.  To  see  this,  we  analyze  the  behavior 
of  the  algorithm  when  computing  nested  hxpoints.  The  algorithm  computes  hxpoints  by 
iteratively  computing  approximations.  These  successive  approximations  form  a  chain  ordered 
by  inclusion.  Since  the  number  of  strict  inclusions  in  such  a  chain  is  limited  by  the  number 
of  possible  states,  we  have  that  the  loop  will  execute  at  most  n  -|-  1  times,  where  n  =  |T|. 
Fach  iteration  of  the  loop  involves  a  recursive  call  to  evaluate  the  body  of  the  hxpoint  with  a 
different  value  for  the  hxpoint  variable.  If  in  turn,  the  subformula  being  evaluated  contains 
a  hxpoint,  the  evaluation  of  its  body  will  also  involve  a  loop  containing  up  to  n  -|-  1  recursive 
calls.  Thus,  the  total  number  of  recursive  calls  will  be  0{n^).  In  general,  the  body  of  the 
innermost  hxpoint  will  be  evaluated  0{n^)  times  where  k  is  the  maximum  nesting  depth  of 
hxpoint  operators  in  the  formula. 

Note  that  we  have  only  considered  the  number  of  iterations  required  when  evaluating 
hxpoints  and  not  the  number  of  steps  required  to  evaluate  a  /i-calculus  formula.  While  each 
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1  function  eval((/),  e) 

2  if  (j)  =  p  then  return  L[p) 

3  if  (j)  =  R  then  return  e[R) 

4  if  (/)  =  ?/)^  A  V’2  then 

5  return  eva^?/’!,  e)n  eval(?/’2,  e) 

6  if  </)  =  V’l  V  V’2  then 

7  return  eva^?/’!,  e)U  eval(?/’2,  e) 

8  if  (/)  =  (a)?/’  then 

9  return  {  s  |  [s  A  t  and  t  G  eva^?/’,  e)]  } 

10  if  (j)  =  [a]?/)  then 

11  return  {  s  |  Vt  [s  A  t  implies  t  G  eva^?/’,  e)]  } 

12  if  (f)  =  pR.ijj^R)  then 

13  i?vai  :=  ± 

14  repeat 

15  ^old  • —  ^val 

16  i?vai  :=  eval(?/’,  e[R  ^  -Rvai]) 

17  until  i?vai  =  -Roid 

18  return  i?vai 

19  if  (j)  =  iyR.'tp[R)  then 

20  i?vai  :=  T 

21  repeat 

22  ^old  • —  ^val 

23  i?vai  :=  eval(?/’,  e[R  ^  -Rvai]) 

24  until  Ryal  ^old 

25  return  i?vai 


Figure  1:  Pseudocode  for  the  naive  algorithm 

hxpoint  may  only  take  0{n)  iterations,  each  individual  iteration  can  take  up  to  (9(|M||(/)|) 
steps,  where  M  =  (T,r,  h)  is  the  model  and  \M\  =  |T|  +  Y^aeAct  A(®)l-  Iii  general,  then, 
this  algorithm  has  time  complexity  (9[|M| |(/)|n^]. 

A  result  by  Emerson  and  Lei  demonstrates  that  the  value  of  a  hxpoint  formula  can  be 
computed  with  0{{\(f)\nY)  iterations,  where  d  is  the  alternation  depth  of  cf).  Their  algorithm 
is  similar  to  the  straightforward  one  described  above,  except  when  a  hxpoint  is  nested  directly 
within  the  scope  of  another  hxpoint  of  the  same  type.  In  this  case,  the  hxpoints  are  computed 
slightly  diherently. 

A  simple  example  will  sufhce  to  demonstrate  the  idea.  When  discussing  the  evaluation 
of  hxpoint  formulas,  we  will  use  as  the  hxpoint  variables,  with  Ri  being  the 

outermost  hxpoint  variable  and  Rk  being  the  innermost.  We  will  use  the  notation 
to  denote  the  value  of  the  approximation  for  Rj  after  having  computed  the  p-th  ap¬ 

proximation  for  Ri  for  1  <  /  <  J.  We  use  ij  =  u  to  indicate  that  we  are  considering  the 
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final  approximation  (the  actual  iixpoint  value)  for  Rj.  For  example,  is  the  value  of  the 
hxpoint  for  Ri  and  Rf^  is  the  initial  approximation  for  R2  after  having  computed  the  third 
approximation  for  Ri.  Consider  the  formula 

/i  .  V’l  ( , /i  i?2  •  V’2  ( ^1 ,  ^2 ) )  • 

The  subformula  /ii?2-V’2(-Ri5  R2)  dehnes  a  monotonic  predicate  transformer  r  taking  one  set 
(the  value  of  Ri)  to  another  (the  value  of  the  least  hxpoint  of  R2).  When  evaluating  the  outer 
hxpoint,  we  start  with  the  initial  approximation  =  T  and  then  compute  r(i?°).  This 
is  done  by  iteratively  computing  approximations  for  the  inner  hxpoint  also  starting  from 
=  T  until  we  reach  a  hxpoint  R^^ .  Now  Ri  is  increased  to  i?},  the  result  of  evaluating 
?/’i(-R?, -^2^).  We  next  compute  the  least  hxpoint  t[R\).  Since  C  by  monotonicity 
we  know  that  t[R^)  C  t[R\).  Now  note  that  the  following  lemma  holds: 

Lemma  3.1  If  N  C  Ujr*(T)  then  =  U8  '''*(-L)- 

In  other  words,  to  compute  a  least  hxpoint,  it  is  enough  to  start  iterating  with  any  approxi¬ 
mation  known  to  be  below  the  hxpoint.  Thus  ,  we  can  start  iterating  with  =  -^2^  =  '^(-^1) 
instead  of  i?2°  =  -L-  When  we  compute  the  hxpoint  R^^ ,  we  next  compute  the  new  approx¬ 
imation  to  i?i,  which  is  the  result  of  evaluating  ipi[R\^  Rl^).  Again,  we  know  that 
Ri  ^  Ri  which  implies  that  t{R\)  C  r(i?J).  But  t{R\)  =  R\^ ^  the  value  of  the  last  inner 
hxpoint  computed,  and  t{R\)  =  R\^  the  hxpoint  to  be  computed  next.  Again,  we  can  start 
iterating  with  any  approximation  below  the  hxpoint.  So  to  compute  R\^  we  begin  with 
i?2°  =  R\^  =  III  general,  when  computing  R!"^  we  always  begin  with  R!"^  =  R2  ■ 

Since  we  never  restart  the  inner  hxpoint  computation,  we  can  have  at  most  n  increases  in 
the  value  of  the  inner  hxpoint  variable.  Overall,  we  only  need  0{n)  iterations  to  evaluate 
this  expression,  instead  of  0{rR).  In  general,  this  type  of  simplihcation  leads  to  an  algorithm 
that  computes  hxpoint  formulas  in  time  exponential  in  the  alternation  depth  of  the  formula 
since  we  only  reset  an  inner  hxpoint  computation  when  there  is  an  alternation  in  hxpoints 
in  the  formula. 

Thus,  this  algorithm  for  evaluating  /i-calculus  formulas  is  identical  to  the  naive  algorithm 
except  in  the  case  when  the  main  connective  is  a  hxpoint  operator.  The  pseudocode  for  this 
algorithm  is  given  in  Figure  2.  Note  that  unlike  the  naive  algorithm,  the  approximation 
values  A[i\  are  not  reset  when  evaluating  the  subformula  fiRi.  HRi)  i^R^-i’  (Ri))-  Instead, 
we  reset  all  top-level  greatest  (least)  hxpoint  variables  contained  in  if).  Recall  that  by  the 
top-level  hxpoints  in  a  formula  we  mean  all  the  hxpoints  of  the  same  type  (/i  or  u)  that  are 
not  in  the  scope  of  the  other  type  of  hxpoints.  This  guarantees  that  when  we  evaluate  a 
top-level  hxpoint  subformula  of  the  same  type,  we  do  not  start  the  computation  from  T  or 
T,  but  from  the  previously  computed  value  as  in  our  example. 

In  [14]  the  authors  observe  that  by  storing  even  more  intermediate  values,  the  time 
complexity  for  evaluating  hxpoint  formulas  can  be  reduced  to  (9(nLA2j+i)  again  d  is 

the  alternation  depth  of  the  formula.  To  simplify  our  discussion,  we  consider  formulas  with 
strict  alternation  of  hxpoints.  We  present  a  small  example  to  illustrate  the  idea  behind  this 
algorithm. 

Consider  the  formula: 

liRi.'ipi{Ri^  i/i?2-V’2(-Ri5  -R2,  f^Rs-i^siRi,  R2,  Rs)))- 
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1  function  eval((/),  e) 

2  N  :=  The  number  of  fixpoint  operators  in  (/> 

3  for  z  :=  f  to  do  A[i\  :=  if  the  hth  hxpoint  of  (/>  is  /i  then  T  else  T 

4  return  evalrec((/),  e) 

Where  evalrec  is  dehned  recursively  as 

1  function  evalrec((/),  e) 

2  if  (j)  =  p  then  return  L[p) 

3  if  (j)  =  R  then  return  e[R) 

4  if  (/)  =  ?/)^  A  V’2  then 

5  return  evalrec(?/’i,  e)n  evalrec(?/’2,  e) 

6  if  </)  =  V’l  V  V’2  then 

7  return  evalrec(?/’i,  e)U  evalrec(?/’2,  e) 

8  if  (j)  =  (a)?/’  then 

9  return  {  s  \  3t[s  -A  t  and  t  G  evalrec(?/’,  e)]  } 

10  if  (j)  =  [a]?/)  then 

11  return  {  s  |  Vt  [s  A  t  implies  t  G  evalrec(?/’,  e)]  } 

12  if  (j)  =  pRi.'tp[Ri)  then 

13  For  all  top-level  greatest  hxpoint  subformulas  ly Rj .ip' (Rj)  of  tp 

14  do  A[j]  :=  T 

15  repeat 

16  i?oid  :=  A[i] 

17  A[i\  :=  evalrec(?/’,  e  [Ri  ^  4l[A) 

18  until  A[i\  =  Ro\d 

19  return  A[i\ 

20  if  (p  =  uRi.'tp[Ri)  then 

21  For  all  top-level  least  hxpoint  subformulas  pR^.ip\Rj)  of  tp 

22  do  A[j]  :=  T 

23  repeat 

24  i?oid  ■.=  A[t] 

25  A[i\  :=  evalrec(?/’,  e  [Ri  ^  4l[A) 

26  until  A[i\  =  Ro\d 

27  return  A[i] 

Figure  2:  Pseudocode  for  the  Fmerson  and  Lei  algorithm 

To  compute  the  outer  hxpoint,  we  start  with  i?i  =  T,  i?2  =  T  and  i?3  =  T.  As  in  the 
previous  case,  we  denote  these  values  by  7?°™  respectively.  The  superscript 
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on  Rk  gives  the  iteration  indices  for  the  hxpoints  involving  i?i,  .  .  .  R^.  We  then  iterate  to 
compute  the  inner  hxpoint;  call  the  value  of  this  hxpoint  R^^^ .  We  now  compute  the  next 
approximation  R^^  for  R2  by  evaluating  ?/’2(-R°,  -R™?  and  go  back  to  the  inner  hxpoint. 

Eventually,  we  reach  the  hxpoint  for  i?2,  having  computed  i?™?  -R™^?  -R^^?  -Rs^^?  •  •  •  5  -R^^? 
R^^^ .  Now  we  proceed  to  R\  =  R^^  ^  We  know  that  C  _Rj,  and  we  are  now 

going  to  compute  R\^ .  Note  that  the  values  R^^  and  i?2^  are  given  by 

i?2^  =  i^i?2-V’2(-Ri5 -R2, /^-Rs-V’sl-R?, -R2, -R3)) 

and 

R\^  =  i2i?2-V’2(-Ri  5  -R2,  /^.Rs-V’sI-R}  ,  -R2,  -Rs))- 

By  monotonicity,  we  know  that  R\^  will  be  a  superset  of  R^^ .  However,  since  R2  is  computed 
by  a  greatest  hxpoint,  this  information  does  not  help;  we  still  must  start  computing  with 
i?2°  =  T.  At  this  point,  we  begin  to  compute  the  inner  hxpoint  again.  But  now  let  us  look 
at  and  Rl^^ .  We  have 

and 

=  /ii?3.V’3(i?^  i?2°,  ^3). 

Since  C  R\  and  i?™  ^  -R2°5  monotonicity  implies  that  C  R^^^^ .  Now  R3  is  a  least 

hxpoint,  so  starting  the  computation  of  R^^^  anywhere  below  the  hxpoint  value  is  acceptable. 
Thus,  we  can  start  the  computation  for  R^^^  with  i?3™  =  R^^^ .  Since  R^^^  is  in  general 
larger  than  T,  we  obtain  faster  convergence.  In  addition,  we  have 

Rf  =  URlRf.RT) 

and 

R\^  =  URlRf.RT) 

Since  C  _Rj,  i?™  ^  R^  ^  and  R^"^  C  i?3°‘^,  we  will  have  R^  C  R}^ .  This  means  that  we 
can  use  the  same  trick  when  computing  i?3^‘^:  we  start  the  computation  from  R^^  =  R^^ . 
And  again,  since  C  _Rj,  R^^  C  R\^  ^  and  R^^  C  R^^ ,  we  will  have  R^  C  R}^ .  In  general, 
we  will  have  1^2  ^  R-l^  and  R^^^  C  R^^^  so  we  can  start  computing  R^^^  from  R^^^  =  R^^^ . 
Similarly,  once  we  hnd  Rl  (or  in  general,  Ri~^^)^  we  can  start  computing  the  inner  hxpoints 
from  ^  ^ 

The  table  in  Figure  3  illustrates  this  by  showing  the  relationship  between  all  the  diherent 
possible  approximation  values  for  R3.  Each  row  can  have  at  most  n  +  1  entries,  one  for  each 
approximation  to  i/i?2-V’2-  At  hrst  glance,  it  seems  possible  that  each  column  could  have  as 
many  as  entries.  However,  each  chain  represented  by  each  column  can  have  at  most  n  +  1 
distinct  values.  Repeated  values  only  appear  when  convergence  is  reached  [R^^  =  R3  ^ 
and  when  we  start  a  computation  from  a  previously  computed  hxpoint  =  R^^). 

Convergence  is  reached  every  time  the  hxpoint  is  evaluated,  and  this  hxpoint  is  evaluated 
once  for  every  outer  greatest  hxpoint  approximation  of  which  there  can  be  no  more  than 
n  +  1.  Since  there  can  be  no  more  than  n  +  1  evaluations,  we  can  start  from  a  previously 
computed  hxpoint  no  more  than  n  times.  So  the  number  of  repeated  values  is  bounded  by 
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2n  +  1.  Thus,  the  total  number  of  entries  in  any  column  is  bound  by  3n  +  2  and  the  total 
number  of  assignments  to  R3  during  the  entire  computation  is  bound  by  (3n  +  2)(n  +  1). 
This  means  that  there  are  at  most  0{n^)  iterations  performed  to  compute  the  innermost 
hxpoint. 
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Figure  3:  Monotonicity  constraints  on  approximations  to  R3 

Again,  this  algorithm  for  evaluating  a  /i-calculus  formula  is  identical  to  the  naive  algo¬ 
rithm  except  when  the  main  connective  is  a  hxpoint  operator.  To  facilitate  explanation,  we 
consider  only  formulas  with  strict  alternation  of  hxpoints,  and  in  particular,  with  the  form: 

Fi  =  ijRi.'tpi{Ri,L'R[.'tp[{Ri,  R[,  F2)) 

F2  =  ljR2.'lp2{Rl,  R'n  R2,  I^R2-'^2{Rit  R'n  ^2,  R2t  Fsj) 

Fg  =  ^Rg4g{Ri,R[,...,Rg,uR'g4'g{Ri,R[,...,Rg,R'J) 

The  pseudocode  for  this  part  of  the  algorithm  is  given  in  Figure  4.  For  computing  the 
outermost  hxpoint  (corresponding  to  Ri)  we  follow  the  naive  algorithm,  i.e.,  start  with  T 
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12  if  (/)  =  fj,Ri.'tpi[Ri)  and  i  >  2  then 

13  i?vai  :=  %[h]  •  •  • 

14  repeat 

15  ^old  • —  ^val 

16  i?vai  :=  evalrec(V’*,  e  [R,  ^  -Roid]) 

17  until  i?vai  =  -Roid 

18  %[ki]  ■  ■  ■  [R_i]  :=  i?vai 

19  return  i?vai 

20  if  (/)  =  vR'-.tl)'-{R'-)  then 

21  R  :=  0 

22  i?vai  :=  T 

23  repeat 

24  i?vai  :=  evalrec(V’',  e  [R[  ^  -Rvai]) 

25  R  :=  R  +  1 

26  until  ki  =  |T| 

27  return  i?vai 


Figure  4:  Pseudocode  for  the  efficient  algorithm 

and  iterate  until  convergence.  The  algorithm  uses  a  table  7i  to  store  the  last  computed 
hxpoint  values  for  the  /i- variables  Ri  (for  i  >  2).  Initially,  all  entries  in  are  T.  The  table 
is  a  multi-dimensional  table.  For  the  Fth  least  hxpoint  (corresponding  to  Ri)  we  index 
the  table  7)  by  the  iteration  counters  A;i,  •  •  •  ,  R^i  of  the  greatest  hxpoints  in  which  the  Fth 
least  hxpoint  is  nested.  When  evaluating  Ri,  we  start  with  the  corresponding  table  value 
and  iterate  until  convergence.  At  the  end  of  the  iteration,  the  table  holds  the  hxpoint  value. 
When  evaluating  R'-,  we  always  begin  with  T  and  iterate  until  convergence.  Note  that  this 
algorithm  implements  the  ideas  in  the  previous  example. 

If  we  use  these  ideas,  how  many  steps  does  the  computation  take?  To  try  to  answer 
this  question,  we  look  at  the  number  of  approximations  computed  for  the  RiS  and  RR  in 
the  algorithm.  Let  Ti  denote  the  number  of  approximations  for  Ri,  and  let  T-  denote  the 
number  of  approximations  for  R).  The  hxpoint  for  R)  is  evaluated  at  most  Ti  times  (the 
number  of  approximations  to  the  enclosing  RR.  Fach  evaluation  can  take  at  most  n  -|-  1 
iterations  for  a  total  of  (n  -|-  T)Ti  approximations.  Thus,  T/  <  (n  -|-  T)Ti.  The  hxpoint  for  Ri 
has  a  table  7)  with  [n  1)*“^  entries.  Because  of  the  monotonicity  constraints,  each  entry 
can  go  through  at  most  n  -|-  1  distinct  values.  Since  there  are  [n  1)*“^  entries,  we  have 
a  total  of  [n  1)*  iterations.  These  iterations  correspond  to  the  case  when  the  loop  test  is 
false.  In  addition,  each  time  we  evaluate  the  hxpoint  for  Ri  we  will  take  one  extra  step  to 
detect  convergence  which  will  not  result  in  a  new  value  for  the  corresponding  table  entry. 
We  evaluate  the  hxpoint  for  Ri  at  most  TR^  times.  Thus  we  make  at  most  TR^  iterations 
when  the  loop  test  is  true.  In  total,  we  have  Ti  <  (n  -|-  1)®  -|-  TR^.  Solving  this  recurrence. 
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we  get: 


Ti  <  i{n  ly 

T’  <  i{n  +  iy+^ 

Summing  over  all  fixpoints  and  expressing  the  result  in  terms  of  the  alternation  depth  d  =  2g, 
we  get  that  the  algorithm  takes  O  {d{n  +  iterations  when  computing  the  hxpoints  in 

a  formula  with  strict  alternation.  In  comparison,  previously  known  algorithms  may  require 
0{n'^)  iterations. 

4  Ordered  Binary  Decision  Diagrams  (OBDDs) 

In  this  section  we  give  a  brief  description  of  an  efficient  data  structure  for  representing 
boolean  functions.  Consider  the  space  BTn  of  boolean  functions  on  n  variables  •  •  •  , 

x„_i.  We  assume  that  there  is  a  total  ordering  on  the  boolean  variables.  The  ordering  is 
given  by  the  index,  i.e.,  Xi  is  ordered  before  x^  iff  I  <  j.  The  symbol  OBDD(/)  will  denote 
the  Ordered  Binary  Decision  Diagram  (OBDD)  for  the  boolean  function  /  [4].  OBDDs  have 
the  following  canonicity  property: 

Theorem  4.1  (Canonicity  Theorem):  Given  two  boolean  functions  /  and  g  in  the  space 
BTn.  OBDD(/)  =  OBBB{g)  iff  f  =  g. 

A  detailed  proof  is  given  in  [4]. 

We  will  give  a  succinct  explanation  of  how  OBDDs  work  through  an  example.  For  a  more 
thorough  treatment  see  [4,  6].  Consider  the  following  boolean  function  /: 

/  =  Xq  <3)  Xi  <3)  X2 

Figure  5  gives  the  binary  tree  T  corresponding  to  the  boolean  function  /.  Notice  that 
the  binary  subtree  which  we  get  by  following  the  paths  (0, 1)  and  (1,0)  from  the  root  are 
the  same.  The  same  is  true  if  we  follow  the  paths  (0,0)  and  (1,1).  Figure  6  reflects  this 
sharing.  Notice  that  the  number  of  nodes  is  reduced  from  15  to  7.  In  general,  the  binary 
tree  corresponding  to  the  parity  of  n  bits  has  2”“*“^  —  1  nodes.  The  OBDD  for  the  same 
function  has  2n  +  1  nodes.  Therefore,  in  some  cases  OBDD  can  be  exponentially  more 
succinct  than  the  straightforward  representation.  We  will  use  |OBDD(/)|  to  denote  the  size 
of  the  OBDD  for  /,  i.e.,  the  number  of  nodes  in  OBDD(/).  In  addition  to  being  a  canonical 
representation,  OBDDs  support  the  usual  operations  on  boolean  functions  efficiently.  The 
complexity  of  some  of  the  operations  is  shown  below: 

•  Given  the  OBDDs  for  /  and  g^  the  OBDD  for  f  3  g  and  f  A  g  can  be  computed  in 
time  C>(|OBDD(/)|  •  |OBDD(^)|). 

•  Given  the  OBDD  for  /,  the  OBDD  for  -i/  can  be  computed  in  time  (9(|OBDD(/)|). 

•  Given  the  OBDD  for  /,  the  OBDDs  for  3xif  and  3xif  can  be  computed  in  time 
0(|0BDD(/)n. 
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Figure  6:  OBDD  for  the  3  bit  parity  function 


Variable  ordering  is  extremely  important  in  OBDDs.  For  example,  consider  the  following 
boolean  function  : 

n 

,X'^)  =  f\{x,  =  x[) 

8  =  1 

The  OBDD  for  /  with  the  variable  ordering 

Xi  <  x[  <  X2  <  x'2  <  ■  ■  ■  Xn  <  x'^ 

has  size  3n  +  2.  As  the  following  lemma  shows,  the  OBDD  for  /  can  have  size  exponential 
in  n  under  some  variable  orderings.  Moreover,  there  are  some  functions  whose  OBDDs  have 
exponential  size  under  any  variable  ordering  [4], 
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Lemma  4.1  Let  /(xi,  •  •  •  ,  •  •  •  ,  be  the  following  boolean  function: 

n 

f\{x,  =  x'i) 

8  =  1 

Let  F  be  the  OBDD  for  /  such  that  all  the  unprimed  variables  are  ordered  before  all  the 
primed  variables.  In  this  case  |F|  >  2”. 

Proof:  Consider  two  distinct  assignments  (6i,  •  •  •  ,  6„)  and  (ci,  •  •  •  ,  c„)  to  the  boolean  vector 
(xi,  •  •  •  ,  Xn).  These  two  assignments  can  be  distinguished  because  of  the  following  equation: 

/(6i ,  •  •  • , 6i ,  •  •  • ,  6„)  ^  /(ci ,  •  •  • ,  c„ , 6i ,  •  •  • , 

Let  Vi  and  V2  be  the  nodes  reached  after  following  the  path  (6i,  •  •  •  ,  6„)  and  (ci,  •  •  •  ,  c„)  from 
the  top  node.  Since  these  two  assignments  can  be  distinguished,  Vi  ^  v^.  There  are  2” 
different  assignments  to  the  boolean  vector  (xi,  •  •  •  ,  Xn)  and  each  of  them  corresponds  to  a 
different  node  (at  level  n)  in  the  OBDD  F .  Therefore,  the  number  of  nodes  at  level  n  in  the 
OBDD  F  is  greater  than  or  equal  to  2”.  □ 

5  Translating  the  /i-Calculus  into  OBDDs 

In  this  section  we  describe  how  to  use  OBDDs  in  the  model  checking  algorithms  described 
earlier.  First,  we  show  how  to  encode  a  transition  system  M  =  (T,r,  T)  into  OBDDs.  The 
domain  T  is  encoded  by  the  set  of  values  of  the  n  boolean  variables  Xi,  •  •  •  ,  x^  i.e.,  T  is  now 
the  space  of  0-1  vectors  of  length  n.  Each  variable  Xi  has  a  corresponding  primed  variable 
x'-.  Instead  of  writing  we  sometimes  use  the  vector  notation  x.  For  example, 

we  write  OBDDp(a;i,  •  •  •  ,a;„)  as  OBDDp(T).  Given  an  interpretation  we  build  the  OBDDs 
corresponding  to  closed  /i-calculus  formulas  in  the  following  manner. 

•  Each  atomic  proposition  p  has  an  OBDD  associated  with  it.  We  will  denote  this 
OBDD  by  OBDDp(T).  OBDDp(T)  has  the  property  that  y  G  {0,1}”  satishes  OBDDp 
iff  y  G  L{p). 

•  Each  program  letter  a  has  an  ordered  binary  decision  diagram  OBDDa(T,  x')  associated 
with  it.  A  0-1  vector  (y,  T)  G  {0, 1}^”  satishes  OBDDa  iff 

(y,T)  G  r(a) 

Now  we  describe  the  encoding  of  the  semantic  sets  of  formulas  into  OBDDs.  Assume 
that  we  are  given  a  y-calculus  formula  (/>  with  free  relational  variables  i?i,  •  •  •,  Rk- 
gives  the  OBDD  corresponding  to  the  relational  variable  Ri.  A{R  ^  Br)  creates  a  new 
association  by  adding  a  relational  variable  R  and  associating  an  OBDD  Br  with  R.  In  other 
words,  A  can  be  considered  as  an  environment  with  OBDD  representation.  The  procedure 
B  given  below  takes  a  y-calculus  formula  (/>  and  an  association  list  A  {A  assigns  an  OBDD 
to  each  free  relational  variable  occuring  in  (f))  and  returns  an  OBDD  corresponding  to  the 
semantics  of  (f). 
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•  B{p,A)  =  OBDDp(f). 

•  B{R,,  A)  =  A[Ri\. 

•  B{^A^)  =  ^B{AA) 

•  B{(j)  A  'tp^A)  =  B{(j)^  A)  A  -B(V’,  A). 

•  B{(l)  V  V’,  Al)  =  B{(p,  A)  V  B{tp,  A). 

•  B{{a)(f),  A)  =  3a;'(OBDDa(x,  x')  A  B((p,  A){x')) 

•  B{[a\(l)^  A)  =  B{^{a)^(l)^  A). 

The  second  equation  uses  the  dual  formulation  for  [a], 

•  =  F/X(</),  AFALSE-BDD). 

•  =  F/X(</),  ATRUE-BDD). 

The  OBDDs  for  the  boolean  functions  false  and  true  are  denoted  by  FALSE-BDD  and 
TRUE-BDD  respectively.  Notice  that  <p  has  an  extra  free  relational  variable  R.  FIX  is 
described  in  Figure  7. 


1  function  FIX{(f),  A,  Br) 

2  result-bdd  =  Br 

3  do 

4  old-bdd  =  result-bdd 

5  result-bdd  =  B{(f),A{R  A-  old-bdd)) 

6  while  (not-equal(old-bdd,  result-bdd)) 

7  return(result-bdd) 


Figure  7:  Pseudocode  for  the  function  FIX 

Now  we  give  a  short  example  to  illustrate  our  point. 

Example  5.1  Assume  that  the  state  space  T  is  encoded  by  n  boolean  variables  Xi,  •  •  •  ,  Xn- 
Consider  the  following  formula: 


(p  =  iiZ.[q  AY  y  {a)Z) 

Notice  that  the  variable  Y  is  free  in  p.  Assume  that  the  interpretation  for  q  is  an  OBDD 
OBDDg(T).  Similarly,  the  OBDD  corresponding  to  the  program  letter  a  is  OBDDa(T,  x'). 
Also  assume  that  we  are  given  an  association  list  A  which  pairs  the  OBDD  By{x)  with  Y. 
In  the  routine  FIX  the  OBDD  result-bdd  is  initially  set  to: 

X°(T)  =  FALSE-BDD 
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Let  be  the  value  of  result-bdd  at  the  hth  iteration  in  the  loop  of  the  function  FIX.  At 
the  end  of  the  iteration  the  value  of  result-bdd  is  given  by: 

=  OBDD,(f)  A  5y(f)  V  3f'(OBDD4f,f')  A 

The  iteration  stops  when  N^[x)  = 

6  Branching  Time  Temporal  Logics 

Let  AP  be  a  set  of  atomic  propositions.  A  Kripke  structure  over  AP  is  a  triple  M  =  (S',  T,  A), 
where 

•  S'  is  a  hnite  set  of  states^ 

•  TCS'xS'isa  transition  relation^  which  must  be  total  (i.e.,  for  every  state  Si  there 
exists  a  state  S2  such  that  (si,S2)  G  T). 

•  L  :  S  ^  2^^  is  a  labeling  function  which  associates  with  each  state  a  set  of  atomic 
propositions  that  are  true  in  the  state. 

There  are  two  types  of  formulas  in  the  temporal  logic  CTL*:  state  formulas  (which  are 
true  in  a  specihc  state)  and  path  formulas  (which  are  true  along  a  specihc  path).  The 
state  operators  in  CTL*  are:  A  (“for  all  computation  paths”),  E  (“for  some  computation 
paths”).  The  path  operators  in  CTL*  are:  G  (“always”),  F  (“sometimes”),  U  (“until”),  and 
V  (“unless”).  Let  AP  be  a  set  of  atomic  propositions.  A  state  formula  is  either: 

•  p,  if  p  G  AP; 

•  -■/  or  /  V  p,  where  /  and  g  are  state  formulas;  or 

•  E(/)  where  /  is  a  path  formula. 

Path  formulas  are  dehned  as  follows: 

•  every  state  formula  is  a  path  formula;  and 

•  if  /  and  g  are  path  formulas,  then  -■/,  /  V  p,  X  /,  /  U  p,  and  fXg  are  path  formulas. 

CTL*  is  the  set  of  state  formulas  generated  by  the  above  rules. 

We  dehne  the  semantics  of  CTL*  with  respect  to  a  Kripke  structure  M  =  (S',  T^L).  A  path 
in  M  is  an  inhnite  sequence  of  states  tt  =  Sq,  Si, ...  such  that,  for  every  i  >  0,  (sy  Si+i)  G  T.  tt® 
denotes  the  suffix  of  tt  starting  at  Si.  7r[z]  denotes  the  Ath  state  on  the  path  tt.  The  starting 
state  of  path  tt  is  7r[0].  We  use  the  standard  notation  to  indicate  that  a  state  formula  /  holds 
in  a  structure.  M,  s  \=  f  means  that  /  holds  at  the  state  s  in  the  structure  M .  Similarly, 
M^tt  1=  /  means  that  the  path  formula  /  is  true  along  the  path  tt.  Assume  that  /i  and  /2 
are  state  formulas  and  gi  and  p2  are  path  formulas,  then  the  relation  |=  is  dehned  inductively 
as  follows: 
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1.  s  1=  p  p  G  L{s) 

2.  s  1=  -i/i  <G>  s  ^  /i 

3.  s  1=  /i  V  /2  GG  s  1=  /i  or  s  1=  /2 

4.  s  1=  E(^i)  there  exists  a  path  tt  starting  with  s  such  that  tt  |=  gi 

5.  TT  1=  /i  7r[0]  1=  /i 

6.  TT  \=  ^gi  TT  ^  gi 

7.  TT  \=  gi  y  g2  TT  1=  gi  or  tt  \=  g2 

8.  TT  1=  X^l  GG  TT^  1= 

9.  TT  \=  gi  \J  g2  there  exists  A;  >  0  such  that  tt^  \=  g2  and  for  all  0  <  j  <  A;,  tt^  \=  gi. 

10.  TT  \=  gi\  g2  yy  for  every  A;  >  0,  if  tt^  ^  gi  for  all  0  <  j  <  A;,  then  tt^  \=  g2. 

CTL  is  the  subset  of  CTL*  in  which  the  path  formulas  are  restricted  to  be: 

•  if  /  and  g  are  state  formulas,  then  X  /,  /  U  5',  and  f  'V  g  are  path  formulas. 

The  basic  modalities  of  CTL  are  EX/,  EG/,  and  E(/U  g),  where  /  and  g  are  again  CTL 
formulas.  The  operator  E(/  V  g)  can  be  expressed  as  follows: 


E(/V(/)  =  E((-/A(/)U/A(/)  VEG(-/A(/) 

EF/  =  E(ArueU/) 

The  operators  AG  /,  AF  /  and  A(/  U  g)  can  be  expressed  in  terms  of  the  basic  modalities 
described  above. 


AG/  =  -EF-/ 

AF/  =  -EG-/ 

A{f\Jg)  =  -E(-/V-(/) 

Next,  we  discuss  the  issue  of  fairness.  In  many  cases,  we  are  only  interested  in  the  correctness 
along  paths  with  certain  conditions.  For  example,  if  we  are  verifying  a  protocol  with  a 
scheduler,  we  may  wish  to  consider  only  executions  where  processes  are  not  ignored  by  the 
scheduler,  i.e.,  every  process  is  given  a  chance  to  run  inhnitely  often.  This  type  of  fairness 
constraint  cannot  be  expressed  in  CTL  [7].  In  order  to  handle  such  properties  we  have  to 
modify  the  semantics  of  CTL.  A  fairness  constraint  can  be  an  arbitrary  set  of  states,  usually 
described  by  a  CTL  formula.  Generally,  there  will  be  several  fairness  constraints.  In  this 
paper  we  will  denote  the  set  of  all  fairness  constraints  by  iA  =  {hi,  •  •  •  ,h„}.  We  have  the 
following  dehnition  of  a  fair  path. 

Definition  6.1  Given  a  Kripke  Structure  M  =  (S^T^L)  and  a  set  of  fairness  constraints 
H  =  {hi,  •  •  •  ,  h„},  a  path  tt  in  M  is  called  fair  iff  each  CTL  formula  hi  is  satished  inhnitely 
often  on  the  path  tt. 
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The  semantics  of  CTL  has  to  be  modihed  to  handle  fairness  constraints  H .  The  basic  idea 
is  to  restrict  path  quantihers  to  fair  paths.  The  formal  dehnition  is  given  below: 

•  s  1=  EX//  /  iff  there  exists  a  fair  path  tt  starting  from  the  state  s  such  that  7r[l]  |=  /. 

•  s  1=  E(5'i  U//  g2)  iff  there  exists  a  fair  path  tt  starting  from  the  state  s  and  there  exists 

A;  >  0  such  that  7r[A;]  |=  g2  and  for  all  0  <  j  <  A;,  7r[j]  |=  gi. 

•  s  1=  EG//  /  iff  there  exists  a  fair  path  tt  starting  from  the  state  s  such  that  for  all 

I  >  0,  tt[i]  1=  /. 

7  Translating  CTL  into  the  /i-Calculus 

In  this  section  we  give  a  translation  of  CTL  into  the  propositional  /i-calculus.  The  algorithm 
Tr  takes  as  its  input  a  CTL  formula  and  outputs  an  equivalent  /i-calculus  formula  with  only 
one  action  a. 

•  T  r[p)  =  p. 

.  TrCf)  =  ^Tr{f). 

•  Tr{f  Ag)  =  Tr{f)  A  Tr{g). 

.  Tr{EXf)  =  {a)Tr{f). 

.  Tr{E{f  U  gj)  =  pY.{Tr{g)  V  {Tr{f  )  A  (a)y)). 

•  rr(EG/)  =  uY.{Tr{f)  A  {a)Y). 

Note,  that  any  resulting  /i-calculus  formula  is  closed.  Therefore,  we  can  omit  the  environment 
in  the  set 

Lemma  7.1  Let  M  =  (S^T^L)  be  a  Kripke  Structure,  /  be  a  CTL  formula,  and  a  be  an 
action  with  interpretation  T.  Consider  the  predicate  transformer  r. 

t{Z)  =  fA{a)Z 

=  {s  G  N  I  s  1=  /  A  3s'  G  S{{s,  s')  G  T  A  s'  G  Z)} 

T  satishes  the  following  conditions: 

•  r  is  monotonic. 

•  Let  r®‘’(T)  be  the  limit  of  the  sequence  T  C  r(T)  C  •  •  •.  For  every  s  G  N,  if  s  G  r®‘’(T) 
then  s  1=  /,  and  there  is  a  state  s'  such  that  (s,s')  G  T  and  s'  G  r®‘’(T). 
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Proof:  Let  Pi  C  P2.  In  this  case  (a)Pi  C  (a)P2,  i.e.,  the  successor  relation  is  monotonic. 
Therefore,  t(Pi)  C  r(P2).  Since  r®‘’(T)  is  the  hxpoint  of  the  predicate  transformer  r,  we 
have  the  following  equation: 


r(P«(T))  =  P«(T) 

Let  s  G  r®‘’(T).  Using  the  equation  given  above  we  get  that  s  G  r(r®‘’(T)).  By  dehnition  of 
r  we  get  that  s  \=  f  and  there  exists  a  state  s',  such  that  (s,s')  G  T  and  s'  G  r*‘’(T).  □ 

The  theorem  given  below  proves  the  correctness  of  the  translation  algorithm  Tr. 

Theorem  7.1  Let  M  =  (S^T^L)  be  the  underlying  Kripke  Structure.  Let  (/>  be  a  CTL 
formula.  Let  the  interpretation  of  the  action  a  be  T.  An  atomic  proposition  p  in  Tr[(j))  has 
the  interpretation  L[p).  The  set  of  states  T  is  S.  In  this  case,  for  all  s  G  S' 

s\=(f)  gG  s  G 

Proof:  The  proof  is  by  structural  induction  on  (f). 

•  (f)  =  p\  In  this  case  the  result  is  true  by  dehnition. 

•  (f)  =  -1/:  By  dehnition  =  S  —  The  result  follows  by  using  the 

induction  hypothesis  on  /. 

•  (f)  =  f  f\  g-  By  dehnition  =  lTr{f)lj^  n  lTr{g)lj^.  The  result  follows  by 

using  the  induction  hypothesis  on  /  and  g. 

•  (f)  =  EX/:  Let  Sj  he  the  set  of  states  where  /  is  true.  By  the  induction  hypothesis, 

[rr(/)]jy^  =  Sf.  The  set  of  states  satisfying  /  is  the  set  of  states  Pi  which  have  a 
successor  in  Sf.  It  is  clear  from  the  semantics  of  (a)  that  =  Pi. 

•  /  =  EG  /:  Let  1/  be  the  set  of  states  s  such  that  s  |=  EG  /.  Let  r  :  2"^  — >  2"^  be  the 
following  predicate  transformer 

riZ)  =  lTrif)j^nil{a)X}^e[X^Z]) 

By  dehnition,  the  greatest  hxpoint  of  r  is  given  by  pli'r'lT),  where  t°(T)  =  T,  and 
=  r(r®(T)).  Using  the  semantics  of  EG  we  get  that  if  s  G  Ti,  then  there 
exists  a  path  tt  starting  from  s  such  that  each  state  on  the  path  satishes  /.  Therefore, 
if  s  G  Ti,  then  s  has  a  successor  s'  such  that  (s,  s')  G  T,  s  |=  /,  and  s'  |=  EG  /.  Hence 
Ui  is  a  hxpoint  for  the  predicate  transformer  r,  i.e., 

r(Ui)  =  Ui 

Since  is  the  greatest  hxpoint  of  r,  we  have  the  following  inclusion: 

ii  £  nc(T) 

i 
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Now  assume  that  s  G  Hi  By  Lemma  7.1,  s  is  the  start  of  an  inhnite  path  tt  such 

that  each  state  s'  on  the  path  tt  satishes  /.  Therefore,  we  have  the  following  inclusion: 

r.  2 

i 

Using  the  two  equations  we  get  that  Yi  is  the  greatest  hxpoint  of  the  predicate  trans¬ 
former  r. 

•  (f)  =  E(/  U  g):  Let  Si  be  the  set  of  states  s  such  that  s  |=  E(/  U  g).  Let  r  :  2"^  — >  2"^ 
be  the  following  predicate  transformer: 

riZ)  =  [rr(^/)l^U([rr(/)l^n([(a)Xl^e[X^Z])) 

First,  we  will  show  that  Ni  is  a  hxpoint  of  r,  i.e., 

rlNi)  =^1 

By  dehnition,  s  |=  E(/  U  g)  iff  there  exists  a  path  tt  starting  from  s  such  that  there 
exists  a  A;  >  0  with  the  property  that  tt^  |=  g  and  tt®  |=  /  (for  {)  <i  <  k).  Equivalently, 
s  1=  E(/  U  5')  iff  s  1=  5'  or  s  1=  /  and  there  exists  a  state  Si  such  (s,Si)  G  T  and 
Si  1=  E(/  U  g).  From  this  condition  it  is  clear  that  Ni  is  a  hxed  point  of  the  predicate 
transformer  r.  By  dehnition,  the  least  hxpoint  of  r  is  given  by 

U^‘(2) 

i 

Since  Ni  is  a  hxpoint  for  r,  we  have  that 

Si  2 

i 

Next  we  prove  that 

Si  c  (JC(±) 

i 

which  proves  that  Ni  is  equal  to  the  least  hxpoint  of  the  predicate  transformer  r. 
By  dehnition,  if  s  G  Ni,  then  there  exists  a  path  tt  and  a  A;  >  0  such  that  tt^  |=  g 
and  TT-^  1=  /  (for  j  <  k).  We  will  prove  by  induction  on  k  that  s  G  r^(T).  The 
basis  case  is  trivial.  If  A;  =  0,  then  s  \=  g  and  therefore  s  G  'r(T),  which  is  equal  to 
lTr{g)jM  U  {lTr{f)j^  n  [(a)T]ji^)  =  lTr{g)j^. 

For  the  inductive  step,  assume  that  the  above  claim  holds  for  every  s  and  every  k  <  m. 
Let  s  be  the  start  of  a  path  tt  =  Sq,  Si,  •  •  •  such  that  s^+i  |=  g  and  for  every  i  <  m  -|-  1, 
Si  1=  /.  By  induction  hypothesis  Si  G  r"®(T).  Notice  that  Sq  =  s  G  [rr(/)]jy^ 
and  s  G  (a)r"®(T).  Therefore,  by  dehnition  s  G  r"®“’“^(T).  Hence,  if  s  G  Ni,  then 
s  G  U^*(T). 

Using  Theorem  7.1  we  have  the  following  result: 
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Theorem  7.2  Given  a  Kripke  Structure  M  =  (S^T^L)^  an  initial  state  Sq  G  S',  and  a  CTL 
formula  /,  one  can  decide  in  (9(|S'||/|)  iterations  whether  M,  Sq  |=  /.  Where  |/|  denotes  the 
number  of  symbols  in  the  formula  /. 

Proof:  Consider  the  following  formula: 

iyY.[iiZ.[q  V  (p  A  {a)Z))  A  {a)Y) 

Notice  that  the  formula  given  above  is  rr(EG(E(p  U  q))).  Since  the  inner  least  hxpoint 
does  not  use  the  relational  variable  Y  (  associated  with  the  outer  greatest  hxpoint),  we  can 
compute  it  hrst  and  reuse  that  value  in  the  outer  hxpoint  computation.  Therefore,  if  we 
compute  the  inner  hxpoint  hrst,  we  can  evaluate  the  formula  given  above  in  (9(2|S'|)  itera¬ 
tions.  Notice  that  given  a  CTL  formula  /,  Tr[f)  has  the  property  that  the  inner  hxpoints 
never  use  the  variables  associated  with  the  outer  hxpoint.  By  evaluating  the  hxpoints  in 
the  nesting  order  (evaluating  the  inner  hxpoints  hrst),  we  do  not  have  to  recompute  the 
hxpoints.  Therefore,  the  total  complexity  is  the  sum  of  the  complexities  for  evaluating  each 
hxpoint  independently.  This  is  bounded  by  OdNI |/|).^  □ 

Given  fairness  constraints  H  =  {hi,  •  •  •  ,  h„},  we  extend  the  translation  algorithm  Tr  in  the 
following  way: 

.  TriEGn  f)  =  uY.  {Tr{  f  )  A  (a)  ALi  I^X.  [{Tr{  f  )  A  {a)X)  V  (F  A  Tr{C))]) 

We  introduce  the  following  formula  which  is  satished  at  a  state  s  ih  there  is  a  fair  path  tt 
starting  from  s. 

•  fair  =  EGff  True 

.  TriEXnf)  =  {a){Tr{f)  A  Tr{fair)). 

.  Tr{E{f  Vh  g))  =  gY.{Tr{g)  A  Tr{fair)  V  {Tr{f)  A  (a)F)). 

We  will  give  an  informal  proof  of  correctness  for  the  EGh  case.  Consider  the  following 
formula: 

uY.{P  A  (a)/iX  [{P  A  {a)X)  V  (F  A  h)]) 

This  corresponds  to  the  formula  TrfEGn  f)^  where  H  =  {h}  and  P  =  Tr[f).  First,  note 
that  the  condition  “h  holds  inhnitely  often  along  a  path”  is  equivalent  to  saying  that  from 
any  point  along  that  path  in  a  hnite  number  of  steps  we  will  reach  a  state  where  h  holds.  To 
understand  the  formula  given  above,  notice  that  gXffP  A  {a)X)  V  (F  A  h))  means  that  “P 
holds  until  F  A  A,  and  F  A  A  is  reachable  in  a  hnite  number  of  steps”.  Since  the  outer  hxed 
point  uY.[P  A  •  •  •)  indicates  that  this  property  holds  globally  along  the  path,  the  formula 
exactly  corresponds  to  the  desired  property. 


^By  definition  of  alternation  depth  given  in  [1],  the  formula  Tr[f)  always  has  alternation  depth  one. 
Hence,  the  linear  complexity  of  CTL  model  checking  follows  directly  from  the  algorithm  in  [1]. 
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8  Simulation  Preorders  and  Bisimulation  Equivalences. 

8.1  Simulation  and  bisimulation. 

In  this  section  we  will  use  essentially  the  same  dehnition  of  a  transition  system  that  was 
introduced  in  Section  2,  except  for  two  special  program  letters  r  and  e.  The  letter  r  repre¬ 
sents  the  idle  action;  its  interpretation  is  always  hxed:  T{t)  =  {(s,  s)  |  s  G  S}.  The  program 
letter  e  denotes  the  invisible  action  from  CCS  [16]  and  will  be  used  in  the  dehnition  of  the 
weak  simulation  and  bisimulation  relations  [17]. 

Definition  8.1  A  relation  C  S'  x  S'  is  called  a  simulation  relation^  if  for  every  (s,s')  G  £ 
the  following  condition  holds: 

Va  G  Act.\/q  G  S',  if  s  A  g  then  G  S.s'  A  ei  and  (g,  ei  )  G  £■ 

Definition  8.2  A  relation  S  C  S'  x  S'  is  called  a  bisimulation  if  £  and  £~^  are  both  simulation 
relations.  In  other  words,  £  satishes  the  following  conditions:  (s,s')  G  S  iff 

(z)  Va  G  Act.\/q  G  S',  if  s  A  g  then  3g'  G  S.s'  A  q'  and  (g,  q')  G  £] 

{ii)  Va  G  Act.Sq'  G  S',  if  s'  A  q'  then  3g  G  S.s  A  q  and  (g,  q')  G  £. 

We  dehne  the  simulation  preorder  as  follows: 

s  V  ■sAff  there  exists  a  simulation  relation  £  such  that  (s,  .s')  G  £. 

We  dehne  bisimulation  equivalence  in  a  similar  manner: 

s  ~  sAh  there  exists  a  bisimulation  relation  £  such  that  (s,  .s')  G  £. 

It  is  straightforward  to  check  that  V  is  a  preorder.  In  fact,  it  is  the  maximal  simulation 
relation  under  inclusion.  It  is  also  possible  to  show  that  bisimulation  equivalence  ~  is  an 
equivalence  relation.  Moreover,  it  is  the  maximal  bisimulation  relation  under  inclusion. 

8.2  Encoding  simulation  and  bisimulation  into  the  /i-calculus. 

In  order  to  check  if  the  initial  states  of  two  transition  systems  are  bisimilar  using  the  propo¬ 
sitional  /i-calculus,  we  hrst  need  to  construct  a  new  transition  system.  Given  two  transition 
systems  M  =  (S',  T,  L)  over  Act  and  M'  =  (S',  T',  L')  over  Act,  we  dehne  the  product 
M  =  M  X  M'  over  Act  as  follows:  M  =  (V,  T,  Z),  where 

•  Act  =  Act  X  Act  =  {ar,  ra  |  a  G  Act  and  b  G  Act}, 

•  s  =  S  X  S, 

•  (s,  s')  (g,  q')  ih  s  A  g  and  s'  A  q'. 

•  L  may  be  arbitrary  in  this  case. 
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We  assume  that  M  and  M'  have  the  same  state  and  action  sets.  This  is  a  technical  issue 
because  we  can  always  dehne  the  transition  systems  on  larger  state  and  action  sets. 

Theorem  8.1  Let  s  and  s'  be  the  states  of  the  two  transition  systems  M  and  M' .  Then 
s  ^  s'  iff  the  following  formula  holds  in  the  state  (s,  s')  of  the  transition  system  M: 

w.(  A  [  ar]  {Ta)x'^ 

a^Act 

Proof:  Consider  the  dehnition  of  a  simulation  relation: 

(s,  s')  G  ^  iff  Va  G  ActNq  G  S',  if  s  A  g  then  3g'  G  S.s'  A  q  and  (g,  q)  G  £■ 

This  is  the  same  as  the  equation 

£  =  J\  [ar]  {Ta)£ 

a^Act 

in  the  transition  system  M  (see  the  semantics  of  modalities  in  Section  2,  and  dehnition  of 
M).  Therefore,  is  a  simulation  relation  iff  it  is  a  hxpoint  of  the  above  equation.  We  show 
that  ^  is  the  greatest  hxpoint.  Let  y  denote  the  set  [ar]  {Ta)x'^. 

C:  s  y  s'  implies  that  (s,  s')  G  £  for  some  simulation  relation  £.  Since  is  a  hxpoint  of  the 
equation,  we  have  ^  C  3^  by  dehnition  of  the  greatest  hxpoint,  therefore  (s,s')  G  y. 

3:  Let  (s,s')  G  y.  Since  y  satishes  the  hxpoint  equation,  it  is  a  simulation  relation,  hence 
s  ^  s'. 


□ 

Theorem  8.2  Two  states  s  and  s'  are  bisimilar  (s  ~  s')  ih  the  following  formula  holds  in 
the  state  (s,s')  of  the  model  M: 

w.(  A  [  ar]  {Ta)X  A  [ra]  {aT)X^ 

a^Act 

The  proof  of  this  theorem  is  almost  identical  to  the  proof  of  the  previous  theorem. 

Obviously,  the  alternation  depth  of  the  formulas  is  one,  therefore  the  complexity  is 
(9(|5'|)  iterations,  where  the  size  of  S  is  Ap.  The  time  complexity  is  OPS'! |Act| |M |)  = 
(9(|5'p|Act||M||M'|).  An  algorithm  for  bisimulation  equivalence  with  time  complexity 
(9(|Act|(|r|  +  |r'|)  logdAD)  is  given  in  [18].  However,  it  is  not  clear  if  this  algorithm  can  be 
modihed  to  compute  the  simulation  preorder  or  if  it  can  be  adapted  to  use  OBDDs. 

8.3  Weak  simulation  and  bisimulation. 

Weak  simulation  preorder  and  weak  bisimulation  equivalence  require  a  more  elaborate  en¬ 
coding.  The  dehnition  of  weak  (bi)simulation  is  similar  to  (bi)simulation.  The  difference  is 
that  each  of  the  transition  systems  is  allowed  to  perform  an  unbounded  but  hnite  number 
of  invisible  actions  e.  Formally,  hrst  dehne  a  relation  ^  by 

a  —1  e*  a  e* 

s  q  lit  d-Si,  -S2--S  — y  S2  O', 

€*  . 

and  s  — >  g  means  that  q  is  reachable  from  s  by  0  or  more  e-transitions. 
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Definition  8.3  A  relation  C  S'  x  S'  is  called  a  weak  simulation  with  invisible  action  e, 
when  (s,  s')  G  S  iff 

Va  G  ActNq  G  S',  if  s  =>  g  then  G  S.s'  =?■  q'  and  (g,  q')  G  S. 

Definition  8.4  A  relation  S  C  A  x  S'  is  called  a  weak  bisimulation  with  invisible  action  e, 
if  (s,  s')  G  S  iff 

(z)  Va  G  Act.\/q  G  A.  if  s  ==>  g  then  3g'  G  S.s'  ==>  q'  and  (g,  q')  G  A; 

{ii)  Va  G  Act.Sq'  G  A.  if  s'  =>  g'  then  3g  G  A.s  ==>  q  and  (g,  g')  G  A. 

As  before,  we  introduce  a  preorder  called  weak  simulation  preorder: 

s  s'  iff  there  exists  a  weak  simulation  relation  A  such  that  (s,  s')  G  A, 

and  an  equivalence  called  weak  bisimulation  equivalence: 

s  sa  s'  iff  there  exists  a  weak  bisimulation  relation  A  such  that  (s,  s')  G  A. 

To  encode  the  weak  (bi)simulation  in  the  propositional  /i-calculus  we  again  make  use  of 
the  transition  system  M .  Dehne  the  abbreviations: 

(e*;  a;  e*)(f)  =dj  iaX.{{a){piY.(f)  V  {e)Y)  V  {e)X) 

[e*;  a;  e*]  (j)  =df  ^(e*;  a; 

To  understand  the  formulas  better,  notice  that  informally  they  can  be  viewed  as  translations 
of  EF((a)EF(/))  and  AG([a]  AG  (/>),  where  CTL  operators  refer  to  e-paths.  Now,  it  is 
straightforward  to  show  that  the  following  theorems  hold: 

Theorem  8.3  Let  s  and  s'  be  states  of  the  two  transition  systems.  Then  s  s'  iff  the 
following  formula  holds  in  the  state  (s,s')  of  the  transition  system  M: 

i/A.(  /\  [(er)*;ar;  (er)*]  ((re)*;ra;  (re)*)A) 

a^Act 

Theorem  8.4  Two  states  s  and  s'  are  weakly  bisimilar  (s  ss  s')  iff  the  following  formula 
holds  in  the  state  (s,s')  of  the  model  M: 

i/A.(  /\  [(er)*;ar;  (er)*]  ((re)*;ra;  (re)*)A  A 

aeAct  (£^)*)A) 

Although  there  are  hve  levels  of  nesting  in  these  formulas,  the  alternation  depth  is  only 
two.  Therefore,  we  can  compute  it  by  the  algorithm  given  in  [11]  using  (9(|Ap|Actp)  itera¬ 
tions  or  (9(|Actp|M 1 1  Ap)  time.  Recall  that  each  iteration  can  take  upto  (9(|Act|  |M |)  time. 
However,  there  is  another  algorithm  by  H.  Andersen  [2]  that  can  compute  the  hxpoints  in 
(9(|Actp| A| |M I)  time.  The  algorithm  in  [18]  can  also  be  adapted  to  compute  weak  bisim¬ 
ulation  equivalence  by  precomputing  the  transitive  closure  of  the  e  relation.  However,  the 
expense  of  this  step  dominates  the  cost  of  the  entire  computation.  Again,  it  is  not  clear  that 
OBDD  s  can  be  used  in  the  last  two  algorithms. 
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9  Conclusion 


In  this  paper,  we  show  the  importance  of  the  propositional  /i-calculus  by  giving  translations 
of  various  graph-based  verihcation  algorithms  into  the  /i-calculus.  We  also  present  an  OBDD 
based  algorithm  for  /i-calculus  model  checking  which  has  proved  to  be  extremely  efficient 
in  practice.  Finally,  we  give  the  best  known  algorithm  for  evaluating  /i-calculus  formulas. 
However,  there  is  still  much  work  to  be  done  in  each  of  these  areas. 

Although  OBDDs  do  not  reduce  the  worst-case  complexity  of  the  model  checking  prob¬ 
lem  for  the  /i-calculus,  their  use  in  model  checking  has  had  an  enormous  effect  on  formal 
verihcation.  Before  the  use  of  OBDDs,  it  was  only  possible  to  verify  models  with  at  most 
10®  states  [7].  By  using  the  OBDD  techniques  described  in  this  paper,  in  practice,  it  is  now 
possible  to  verify  examples  with  up  to  10^^°  states  and  several  hundred  state  variables  [5]. 
However,  there  is  no  theoretical  framework  which  explains  when  OBDDs  will  work  well  in 
practice.  Our  algorithm  does  not  depend  on  the  data  structure  used  to  represent  boolean 
functions,  so  it  should  be  possible  to  use  any  better  data  structures  that  may  be  discovered. 

In  addition  to  the  verihcation  problems  we  have  considered,  there  are  other  graph  theo¬ 
retic  problems  that  can  be  encoded  in  the  /i-calculus.  An  important  question  is  how  useful 
these  OBDD  and  hxpoint  techniques  are  for  problems  like  hnding  minimum  spanning  trees, 
determining  graph  isomorphism,  etc.  For  example,  let  E[u^  v)  be  the  edge  relation  for  a 
directed  graph  and  let  each  vertex  n  be  a  state  encoded  by  an  assignment  v  to  the  boolean 
variables  x  =  Xi^ .  .  .  ^  Xk-  The  formula 

(j){x)  =  [iR.xM  {a)R 

computes  the  set  of  states  reachable  from  the  state  encoded  by  the  assignment  to  F,  where 
the  interpretation  for  the  program  letter  a  is  the  edge  relation  E.  Then  the  graph  satishes 
the  formula 

[u  — >  </>(F)]  A  [F  — >  (f){u)] 

if  and  only  if  the  two  vertices  u  and  v  are  in  the  same  strongly  connected  component.  In 
general,  the  graph  is  strongly  connected  if  and  only  if  every  vertex  satishes  the  formula 

VT.</)(T). 

Although  strictly  speaking  this  is  not  a  /i-calculus  formula  according  to  our  syntax,  recall 
that  we  allow  quantihcation  over  boolean  variables  in  our  translation  of  the  /i-calculus  into 
OBDDs. 

We  also  discuss  efficient  evaluation  algorithms,  which  exploit  monotonicity  properties 
when  evaluating  hxpoints.  However,  these  algorithms  remain  exponential  in  the  alternation 
depth.  We  conjecture  that  there  is  no  polynomial-time  algorithm  for  determining  if  a  state 
satishes  a  given  formula.  Consider  an  algorithm  that  computes  least  hxpoints  by  iterating 
and  that  guesses  greatest  hxpoints.  The  guess  for  a  greatest  hxpoint  can  be  easily  checked 
to  see  that  it  really  is  a  hxpoint.  Furthermore,  while  we  cannot  verify  that  it  is  the  greatest 
hxpoint,  we  know  that  the  greatest  hxpoint  must  contain  any  verihed  guess.  Then  by 
monotonicity,  the  hnal  value  computed  by  this  nondeterministic  algorithm  will  be  a  subset 
of  the  real  interpretation  of  the  formula.  The  state  in  question  satishes  the  formula  if  and 
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only  if  it  is  in  the  set  computed  by  some  run  of  the  algorithm.  Also  note  that  we  can  negate 
formulas,  so  the  complexity  of  determining  if  a  state  satishes  a  formula  is  the  same  as  the 
complexity  of  determining  if  a  state  does  not  satisfy  the  formula.  Thus,  the  problem  is  in 
the  intersection  of  NP  and  co-NP.  This  suggests  that  our  conjecture  will  be  very  difficult  to 
prove. 
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